bugzilla-daemon at mindrot.org
2004-Jul-30 23:22 UTC
[Bug 908] AIX OpenSSH allows too many failing login attempts
http://bugzilla.mindrot.org/show_bug.cgi?id=908
Summary: AIX OpenSSH allows too many failing login attempts
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: matt.small at wellsfargo.com
AIX allows per-user definitions for the maximum number of allowed login attempts
(defaulting to 3). After that limit has been exceeded, the user is locked out,
and must be unlocked by an administrator.
Through OpenSSH, it is possible to get around this restriction, and make
additional login attempts.
To reproduce (assuming the system locks an account after 3 total failed
attempts, and assuming you have 3 attempts per ssh connection):
- start an ssh connection, fail your login twice, and exit out
- start a new session, fail twice, then enter the correct password, and you will
be accepted into the system (note that there were 4 failed attempts before the
successful login)
I believe the problem lies in how OpenSSH determines login permissions. There
is an initial check made to ensure that the user can log in, but after that no
additional checks are made. And once a successful login is made, the counter is
reset, incorrectly allowing future logins.
To fix this, the loginrestrictions() function (AIX-specific) needs to be checked
before each login attempt (_before_ a login is accepted).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jul-30 23:25 UTC
[Bug 908] AIX OpenSSH allows too many failing login attempts
http://bugzilla.mindrot.org/show_bug.cgi?id=908 ------- Additional Comments From matt.small at wellsfargo.com 2004-07-31 09:24 ------- Created an attachment (id=696) --> (http://bugzilla.mindrot.org/attachment.cgi?id=696&action=view) proposed patch With excellent comments and suggestions from Darren Tucker on my initial version, this is a much improved patch (thankfully, the original need not see the light of day). It's against the 20040730 snapshot, and I've tested it on AIX 5.1. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Aug-12 11:52 UTC
[Bug 908] AIX OpenSSH allows too many failing login attempts
http://bugzilla.mindrot.org/show_bug.cgi?id=908
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From dtucker at zip.com.au 2004-08-12 21:51 -------
I just tried that on 5.2 but it still allows the login after locking out the
account via telnet. I suspect there's some kind of caching going on, but
neither setpwent/endpwent or setuserdb/enduserdb make a difference.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.